Detect Transmitted Data Manipulation in Microsoft Sentinel
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, threatening data integrity. Manipulation may occur over network connections or between system processes, including intercepting clipboard contents to replace cryptocurrency addresses (crypto-clipping), modifying financial wire transfer messages such as SWIFT transactions, or altering email content during transit. Real-world examples include APT38 using DYEPACK to manipulate SWIFT messages, LightNeuron modifying Exchange email content in-flight, and commodity banking trojans Melcoz and Metamorfo silently replacing copied wallet addresses. This technique typically requires prolonged access and specialized knowledge of the target transmission mechanism.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1565 Data Manipulation
- Sub-technique
- T1565.002 Transmitted Data Manipulation
- Canonical reference
- https://attack.mitre.org/techniques/T1565/002/
KQL Detection Query
// T1565.002 — Transmitted Data Manipulation
// Covers: clipboard hijacking (crypto-clipping), netsh portproxy traffic redirection,
// new kernel/NDIS filter driver installation, process injection into network-facing apps
// --- Clipboard hijacking via scripting engines (Melcoz/Metamorfo pattern) ---
let ClipboardHijack = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe", "python.exe", "python3.exe", "wscript.exe", "cscript.exe")
| where ProcessCommandLine has_any (
"Get-Clipboard", "Set-Clipboard",
"[Windows.Forms.Clipboard]", "System.Windows.Forms.Clipboard",
"GetClipboardData", "SetClipboardData", "OpenClipboard",
"clipboard.paste", "clipboard.copy", "pyperclip", "win32clipboard"
)
| extend DetectionType = "ClipboardHijack"
| extend RiskScore = 70
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionType, RiskScore,
RegistryKey = "", RegistryValueName = "", RegistryValueData = "";
// --- netsh portproxy: redirecting traffic to attacker-controlled endpoint ---
let PortProxyRedirect = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "netsh.exe"
| where ProcessCommandLine has "portproxy"
and ProcessCommandLine has_any ("add", "set")
and ProcessCommandLine has "connectaddress"
| extend DetectionType = "PortProxy_TrafficRedirection"
| extend RiskScore = 80
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionType, RiskScore,
RegistryKey = "", RegistryValueName = "", RegistryValueData = "";
// --- New kernel driver installation (WFP callout / NDIS filter for traffic interception) ---
let NetworkFilterDriver = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType == "RegistryValueSet"
| where RegistryKey has "CurrentControlSet\\Services"
| where RegistryValueName =~ "Type"
| where RegistryValueData in ("1", "0x00000001") // SERVICE_KERNEL_DRIVER
| extend ServiceName = extract(@"Services\\([^\\]+)", 1, RegistryKey)
| where isnotempty(ServiceName)
| extend DetectionType = "NetworkFilterDriver_NewKernelDriver"
| extend RiskScore = 85
| project Timestamp, DeviceName, AccountName, FileName = ServiceName, ProcessCommandLine = "",
InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionType, RiskScore,
RegistryKey, RegistryValueName, RegistryValueData;
// --- Remote thread injection into browser/email clients (intercept data in-process) ---
let BrowserMailInjection = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "CreateRemoteThreadApiCall"
| where FileName in~ (
"chrome.exe", "firefox.exe", "msedge.exe",
"outlook.exe", "thunderbird.exe", "iexplore.exe"
)
| where InitiatingProcessFileName !in~ (
"chrome.exe", "firefox.exe", "msedge.exe",
"outlook.exe", "thunderbird.exe", "iexplore.exe"
)
| extend DetectionType = "ProcessInjection_NetworkApp"
| extend RiskScore = 90
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine = "",
InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionType, RiskScore,
RegistryKey = "", RegistryValueName = "", RegistryValueData = "";
// --- Known MITM tool execution ---
let MITMTools = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("arpspoof", "ettercap", "bettercap", "responder", "mitmproxy")
or (ProcessCommandLine has_any ("arpspoof", "bettercap", "ettercap", "responder", "mitmproxy")
and FileName in~ ("python.exe", "python3.exe", "bash", "sh"))
| extend DetectionType = "MITMTool_Execution"
| extend RiskScore = 95
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionType, RiskScore,
RegistryKey = "", RegistryValueName = "", RegistryValueData = "";
union ClipboardHijack, PortProxyRedirect, NetworkFilterDriver, BrowserMailInjection, MITMTools
| sort by RiskScore desc, Timestamp descMulti-vector detection for T1565.002 using Microsoft Defender for Endpoint tables. Covers five attack patterns: (1) clipboard hijacking via scripting engines targeting cryptocurrency address replacement (Melcoz/Metamorfo pattern); (2) netsh portproxy commands redirecting network traffic to attacker-controlled endpoints; (3) new kernel driver installations used to set up WFP callout or NDIS filter drivers for traffic interception; (4) remote thread injection into browser and email client processes to intercept transmitted data in-process; and (5) execution of known MITM tools. Each hit is tagged with a DetectionType and RiskScore for analyst prioritization.
Data Sources
Required Tables
False Positives & Tuning
- Clipboard manager software (Ditto, ClipboardFusion, CopyQ) legitimately reads and writes clipboard data at high frequency and will trigger the ClipboardHijack pattern
- Password managers (KeePass, 1Password, Bitwarden) that copy credentials to the clipboard will match clipboard access patterns
- IT administrators configuring netsh portproxy for legitimate port forwarding, NAT traversal, or IPv4-to-IPv6 translation in lab or jump-host environments
- Endpoint security vendors that install NDIS filter drivers for network traffic inspection (Palo Alto Cortex XDR, Symantec, CrowdStrike network filter components) will trigger the kernel driver installation pattern
- VPN clients (Cisco AnyConnect, Palo Alto GlobalProtect) and remote desktop tools that install virtual network adapter drivers with Type=SERVICE_KERNEL_DRIVER
- Automated UI testing frameworks (Playwright, Selenium, AutoIt) that programmatically interact with clipboard in CI/CD test environments
Other platforms for T1565.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Crypto Clipboard Hijacker Simulation
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-Clipboard', 'Set-Clipboard', and '-WindowStyle Hidden'. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational will show the full deobfuscated script including the attacker address. The short-lived process (5 seconds) creates a single process creation event.
- Test 2netsh PortProxy Rule Creation for Traffic Redirection
Expected signal: Sysmon Event ID 1: Process Create with Image=netsh.exe, CommandLine containing 'portproxy', 'add v4tov4', 'listenport=8080', and 'connectaddress=127.0.0.1'. Sysmon Event ID 13 (RegistryValueSet) at HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp\127.0.0.1/8080 with the connectaddress value. Security Event ID 4688 (if command line auditing is enabled via GPO) captures the full netsh invocation.
- Test 3Python Clipboard Monitor with Cryptocurrency Address Pattern
Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'pyperclip', 'clipboard', and the regex pattern. If pip install fires, a second child process (pip.exe or python.exe -m pip) creates an additional Event ID 1. Sysmon Event ID 3 may capture outbound connection to PyPI if the pip install path is triggered.
- Test 4ARP Cache Poisoning with Built-in arp.exe (MITM Precursor)
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\arp.exe, CommandLine='arp -s 192.168.1.254 aa-bb-cc-dd-ee-ff'. Security Event ID 4688 (with process command line auditing enabled) captures the arp invocation. No file or registry changes are written. Verify effect with 'arp -a' — the injected static entry shows type 'static' rather than 'dynamic'.
References (11)
- https://attack.mitre.org/techniques/T1565/002/
- https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
- https://www.justice.gov/opa/press-release/file/1092091/download
- https://securelist.com/brazilian-banking-trojans-and-windows-clipboard/97373/
- https://www.fortinet.com/blog/threat-research/metamorfo-banking-trojan-keeps-targeting-brazil
- https://www.welivesecurity.com/2019/05/07/turla-lightneuron-email-too-much/
- https://learn.microsoft.com/en-us/windows/win32/wfp/windows-filtering-platform-start-page
- https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1565.002/T1565.002.md
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceevents-table
Unlock Pro Content
Get the full detection package for T1565.002 including response playbook, investigation guide, and atomic red team tests.